[dev] External access tickets

[Jan Schneider]

Zitat von Michael J Rubinsky <mrubinsk at horde.org>:

> Quoting Ralf Lang <lang at b1-systems.de>:
>
>> Hallo,
>>
>> I need to provide throwaway access to some shared resources in a
>> horde_shares based application.
>> This means, the subject to grant access to will not be a horde user, but
>> access will not be granted globally.
>>
>> Think of a scenario where you want to give - potentially time-limited,
>> revokable - access to a calendar, addressbook, file or similar resource
>> to an external party.
>>
>> Strategies to implement
>>
>> - Have an application specific table with some auth string, related
>> resource ID, expiry date
>>
>> OR
>>
>> - Make this a feature of Horde_Shares (separate table app_sharesng_tickets)
>>
>> OR
>>
>> - Make this a feature of the RPC/Rest/access stack.
>>
>> What would make most sense / have a chance for committing back into Horde?
>>
>>
>>
>> Kludges/Workarounds
>>
>> - have a separate vhost with a separate auth table/source but shared
>> application/resource tables.
>
>
> Is the idea to grant API access only, or full UI access?
>
> I'm not sure the Horde_Shares strategy would work, though I honestly  
> like that as an idea the best. How would we be authenticated to the  
> actual application?
>
> It would be great if we could use this as a basis for a full  
> role-based authentication and claims system.

I agree that using Horde_Shares for this makes most sense. We  
implement all permissions there already anyway, so we still have a  
single point to check for resource permissions.

As for the application access: the application-permission-system could  
maybe hook into Horde_Shares to allow overriding of individual  
application's permissions, so as to allow non-authenticated access to  
guest shares or ticketed resources.

-- 
Jan Schneider
The Horde Project
https://www.horde.org/